Lithuanian DPA issues EUR 15,000 fine for infringements of the General Data Protection Regulation in the Centre of Registers

29 March 2021

Following the incident at the State Enterprise Centre of Registers on 20 July 2020, which disrupted the operation of state registers and state information systems managed by the State Enterprise Centre of Registers, Lithuanian State Data Protection Inspectorate (DPA), after conducting an investigation under the General Data Protection Regulation (GDPR), in February 2021 imposed a fine for improper implementation of technical and organizational data security measures.

A fine of EUR 15,000 was imposed on the State Enterprise Centre of Registers for infringements of Article 32(1) (b) and (c) of the GDPR, namely failure to ensure the ongoing integrity, availability and resilience of processing systems and services, as well as failure to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident.

The fine imposed on the Centre of Registers as the data controller and / or data processor of 22 registers and information systems. Such a decision on the fine was issued having regard to the state of the art and the costs of implementation, and taking into account the nature, scope, context and purposes of the processing as well as the risk of varying likelihood and severity for the rights and freedoms of individuals, failure to implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, infringement of Article 32(1)(b)(c) of the GDPR, and also taking into account the factors listed in Article 83(2)(a),(d)(g) (related to the nature, gravity, duration and scope of the data), which are to be recognized as aggravating the infringement of the SE Centre of Registers.

Pursuant to the Law on Legal Protection of Personal Data, a supervisory authority may impose an administrative fine of up to 0.5% of the current year's budget or other general annual revenues received in the previous year of the public authority or body, but not more than thirty thousand euros, on the authority or body that has violated the provisions of Article 83(4)(a)(b)(c) of the GDPR. 

In determining the amount of the administrative fine, the DPA took into account the factors mitigating the violation committed by the SE Centre of Registers listed in Article 83(2)(b), (c), (e), (f) (h) of the GDPR, namely the absence of intent, the efforts made to restore the damaged data, the absence of facts about the material damage suffered by the data subjects, the close cooperation with the DPA and the absence of previous violations of a similar nature. The DPA also took into account that the State Enterprise Centre of Registers, when implementing security measures, is dependent both on the data controller, the Ministry of Health of the Republic of Lithuania, and other institutions dealing with consolidation of state IT resources, and decided that the fine is a proportionate measure to ensure compliance with the provisions of the GDPR in the future.

The DPA points out that ensuring the security of personal data is not only the duty of the data controller, but also the direct responsibility of the data processor provided for in Article 32 of the GDPR. The processor is directly liable for non-performance or improper performance of this obligation too.

For further information, please contact the Lithuanian supervisory authority:

The press release published here does not constitute official EDPB communication, nor an EDPB endorsement. This press release was originally published by the national supervisory authority and was published here at the request of the SA for information purposes. As the press release is represented here as it appeared on the SA's website or other channels of communication, the news item is only available in English or in the Member State's official language with a short introduction in English. Any questions regarding this press release should be directed to the supervisory authority concerned.